Attrition, DEFCON 20, and a Bit of Advice

Sun Jul 15 19:59:56 CDT 2012

staff[at]attrition.org

Attrition.org will have a small representation at DEFCON 20 this year. Throughout next week, you can
find Jericho and cji at different venues and events. As two of the staff members that work on Errata,
we will be available to answer questions about the project. In the past year there have been occasional
questions about availability and the perception that once we publish something, it is set in stone.
This is absolutely not the case. At DEFCON 19, after a 1+ hour sitdown with someone listed on Errata,
they were ultimately removed. The Errata project is a guideline, not gospel. For DEFCON 20, we already
have a sitdown scheduled with one person that is on the unpublished charlatan watch list, so that
we can get more information and also discuss his concerns.

Jericho will be presenting "Errata Hits Puberty: 13 Years of Chagrin" on Wednesday afternoon at
the BlackHat Briefings. This is the same talk (with minor enhancements) that was given at RVAsec
last month. He will be around the BlackHat venue before and after the talk for any questions or
discussions, except perhaps for HTBridge employees (as they have filed criminal defamation charges
against him in Switzerland [1/2/13 Update: Charges since dropped]). Everyone else, feel free to chat. Jericho will be at BSidesLV for part
of Wednesday, and all day Thursday. You can find him at the OSF booth being a 'babe'. Questions
about the Open Source Vulnerability Database? Discussion about VDBs in general? Bring them. Friday
and Saturday, both Jericho and cji will be around the DEFCON venue with no schedule in mind. Look
for the squirrely types.

First, as some noticed last night, we sold 3 of the badges on eBay. This was done to cover the cost of
all 25 badges, so we break even on them. The new shirts will be the same way; enough will be sold
so that the cost to make them is recovered. We don't care about profiting off of this glorious
merchandise, but remember that the Errata project already costs money to run. Historically, we're
in the hole several thousand dollars. The money spent on marketing (e.g., shirts, wristbands, stickers)
is also out of our pocket in the past. Since we have had to cover one court case related to Errata,
and are currently wrapped up in a second, money for legal fees is a must. While some people think
that selling merchandise is lame, to each their own. These are very small runs that are primarily
given to friends and supporters of our project. Now the part you care about. How can you get your grubby
hands on some Attrition.org schwag? Read on, heathens.

There will be a handful of badges and shirts available next week. They are on a
first-come-first-serve-and-our-mood-depending basis. Some are already spoken for, some
have already asked where we will be early in the week to mug us for one. If you have
something to barter, that may increase your chances of getting one. Have tips about companies
or individuals that should be on the Errata radar? Cough them up, and cite your sources!
Have a shirt or badge from your organization or project? Maybe a swap is in order.
In addition, there will be quite a few wristbands and a lot of stickers to give away.
Don't be shy, find Jericho or cji and banter.

Conference Advice

jericho

If you are still reading, I would like to offer some advice for the conferences next week.
This goes for BlackHat, BSidesLV, and DEFCON 20. As a long time con-goer, there is one thing that
consistantly disappoints me at conferences. This came to a breaking point at DEFCON 18 when
one talk I attended came with a disclaimer; no questions or comments during the talk. Any
questions would only come after the talk, in a separate 'media' room, away from the crowd,
despite the talk topic being big in the news, and controversial to some.
This rule was absurd, especially for a conference that has a history of crowd participation.
To me, if a speaker says something that is questionable or inaccurate, the audience should hear
any objections or corrections. Having a speaker tell hundreds of people incorrect information,
then be corrected after the talk in a room with a dozen people simply isn't right. In this case,
I walked out of the talk halfway through when the speaker got some things provably wrong. So my
advice to you is this; speak up. Rules be damned. Be respectful, but don't be afraid to interrupt
a speaker if they are spewing bullshit. If you have a question that is timely, raise your hand
to encourage the speaker to turn it into an open forum. Why?

Because the odds are good he is not the most knowledgeable person in the room on the topic.
That is a growing trend in our industry, where people that are quite new to InfoSec end up
speaking on a topic they have little experience with (relatively speaking). Speakers, you have
a responsibility to ask yourself questions before you submit a talk to any conference. First,
why are you speaking and not someone else? Second, are you in the top 5% of the industry regarding
your given topic? Third, if you aren't, are you bringing a truly new and refreshing angle to
a topic? If you can't answer the first, or answer "no" to the other two questions, don't submit
a talk. Audience, think of these questions in the context of the speaker you are watching. If you
have doubts, ask the speaker these questions. The presentation bio slide should explain the
first two questions. We don't care that you were a VMS admin in 1993, if you are giving a talk
about social engineering. Speakers need to list their relevant experience to the topic
at hand. Further, speakers should encourage discussion. They should not hide from potential
criticism. If they are truly an expert on their topic, then they will be able to defend any
point they make.

Finally, if you are in a talk that falls short, tell the speaker. Be polite, but voice your
concerns! If all they hear is polite applause after, they may have no idea the talk was a joke.
Does the conference give you a chance to submit feedback? DO IT. Conference CFP teams have
very little information to go on for new speakers. If a talk wasn't worth the time, tell them
so that next year they are better prepared to recognize talks that are potentially lacking.
Let them know so the same person doesn't get accepted again to give another crappy talk.
In short, it is on you to police the industry. This starts with standing up for your right
not to have your time wasted in a presentation.